Nuclear Accident Precursor Assessment

The Accident Sequence Precursor Program

MARTIN B. SATTISON

Idaho National Engineering and Environmental Laboratory

The U.S. Nuclear Regulatory Commission (USNRC) has operated an accident precursor program since 1979, pioneering this particular field of safety. The Accident Sequence Precursor (ASP) Program has provided useful insights into the effects of operational events on safety in the nuclear industry ever since. In the past 24 years, the program has matured along with the risk assessment tools and models upon which it depends.

The first probabilistic risk assessment (PRA) by a commercial nuclear power plant, the Reactor Safety Study (WASH-1400), was completed in 1975 (USNRC, 1975). The USNRC formed the Risk Assessment Review Group (commonly referred to as the Lewis Committee) to perform an independent evaluation of WASH-1400. That committee made a number of recommendations in 1978, including that more use be made of operational data to assess the risk from nuclear power plants. The Review Group’s report stated, “It is important, in our view, that potentially significant (accident) sequences, and precursors, as they occur, be subjected to the kind of analysis contained in WASH-1400” (USNRC, 1978). In response to that recommendation, the USNRC’s Division of Risk Analysis established the ASP in the summer of 1979, shortly after the Three Mile Island (TMI-2) accident. The first major report of that program, Precursors to Potential Severe Core Damage Accidents: 1969–1979, A Status Report (NUREG/CR-2497, Volume 1), was formally released in June 1982 (Minarick and Kukielka, 1982).

The primary focus of ASP was on evaluating the risk for a specific time period from all operating nuclear power plants (not individual plants), and this is still a primary objective of ASP. The implications of this objective have signifi-

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
Nuclear Accident Precursor Assessment
The Accident Sequence Precursor Program
MARTIN B. SATTISON
Idaho National Engineering and Environmental Laboratory
The U.S. Nuclear Regulatory Commission (USNRC) has operated an accident precursor program since 1979, pioneering this particular field of safety. The Accident Sequence Precursor (ASP) Program has provided useful insights into the effects of operational events on safety in the nuclear industry ever since. In the past 24 years, the program has matured along with the risk assessment tools and models upon which it depends.
The first probabilistic risk assessment (PRA) by a commercial nuclear power plant, the Reactor Safety Study (WASH-1400), was completed in 1975 (USNRC, 1975). The USNRC formed the Risk Assessment Review Group (commonly referred to as the Lewis Committee) to perform an independent evaluation of WASH-1400. That committee made a number of recommendations in 1978, including that more use be made of operational data to assess the risk from nuclear power plants. The Review Group’s report stated, “It is important, in our view, that potentially significant (accident) sequences, and precursors, as they occur, be subjected to the kind of analysis contained in WASH-1400” (USNRC, 1978). In response to that recommendation, the USNRC’s Division of Risk Analysis established the ASP in the summer of 1979, shortly after the Three Mile Island (TMI-2) accident. The first major report of that program, Precursors to Potential Severe Core Damage Accidents: 1969–1979, A Status Report (NUREG/CR-2497, Volume 1), was formally released in June 1982 (Minarick and Kukielka, 1982).
The primary focus of ASP was on evaluating the risk for a specific time period from all operating nuclear power plants (not individual plants), and this is still a primary objective of ASP. The implications of this objective have signifi-

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
cantly influenced the way analyses are done, the nature of the results, and the types of insights expected from the program.
In the early years of ASP little emphasis was placed on detailed, accurate, plant-specific risk models. To the contrary, early risk models were generic and did not differentiate the physical and operational characteristics of plants in the nuclear fleet, except on a very crude level. However, this level of detail was adequate for the purposes of determining and trending the risk of high-level, industry-wide, severe core damage. In fact, ASP was pushing the state of the art in risk assessment to the limit, and asking for more would have been impractical. Only a few risk models besides WASH-1400, such as those for the Zion and Indian Point nuclear power plants, could have supported detailed risk assessments of operational events.
The first ASP risk models consisted of two sets of standardized, functional event trees, one for pressurized water reactors (PWRs) and one for boiling water reactors (BWRs), the two unique reactor designs in the U.S. light water reactor fleet. Each set of event trees presented the accident sequences stemming from four initiating events selected for the study:
loss of main feed water (the system that extracts the heat from the reactor)
loss of off-site power (requiring alternative power sources for key safety equipment)
small loss-of-coolant accident (LOCA) (a direct leak of coolant from the reactor pressure boundary)
break in the steam line (requiring actions to control reactivity and establish alternative long-term heat removal)
The first two initiating events were considered the most likely off-normal events of concern; the latter two represented bounding events for many of the safety-related systems in a reactor plant. The event trees were used to model most of the events selected as precursors. Figure 1 shows the standard event tree for loss of main feed water in a PWR (Minarick and Kukielka, 1982). With this limited set of event trees, a number of events of interest could not be properly evaluated without additional work. In these cases, unique event trees were developed.
Accident precursors were quantified in the framework of the event trees. “Unusual” initiating events and complete failures of safety-related functions were selected as precursors. The frequencies of initiating events were calculated based on the operating experience of the plants from 1969 through 1979. Function failure (branch point) probabilities were calculated based on observed failures in the operating event data and estimates of the number of test demands and additional nontest demands to which the function would be expected to respond. For each precursor event, the appropriate values were applied to the event tree accident sequences for which the observed event was considered a precursor. Because operators would not just sit back and watch an accident progress, the

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
chance that a failure or initiating event could be rectified was included as a recovery action. The same process was used to evaluate the 1980–1981 accident precursors (Cottrell et al., 1984).
The event tree models used for assessments from 1969 to1981 were acknowledged to be less than adequate. In 1984, ASP, with the help of the USNRC Accident Sequence Evaluation Program, identified classes of plants based on common responses to specific initiating events (transient, loss of off-site power, and small LOCA) and began to develop computerized, systemic event trees for each plant class. Based on the structure of the event trees, four PWR and three BWR plant classes were created. System models based on the train-level configurations were used in conjunction with plant-class event sequences to distinguish differences among plant designs.
The PWR reactor-trip event trees from the 1985 report (Minarick et al., 1986) were better representations of the individual plants, but still allowed use of operational data at a higher level (plant class). If a model is too plant specific, there are not enough operational data to evaluate events with confidence. If the model is too generic, the insights from the data will be limited. The 1985 models reflected a shift in emphasis away from industry averages toward the identification of specific precursors and a determination of their significance.
The new models were first used to evaluate (in parallel) the 1984 and 1985 accident precursors. In 1984, to reduce the time between the occurrence of precursors and their analysis, ASP skipped the 1982 and 1983 events and began analysis of the 1984 and 1985 events. The 1985 ASP report came out in December 1986 (Minarick et al., 1986); the 1984 ASP report came out in May 1987 (Minarick et al., 1987). The 1986 precursors were evaluated using essentially the same models.
Revised models were used to evaluate the 1987 precursors. The definitions of the BWR plant classes were adjusted; and the La Crosse plant was different enough to be placed in its own class. The PWR plants were divided into eight classes instead of four, which made possible better representations of actual plant configurations and characteristics (Minarick et al., 1989). Other changes were made to reflect new data on operator performance, to enable better models of emergency battery depletion during a station blackout (a total loss of all AC power sources), and to require that operable water-injection sources be available during venting of the containment building. (All commercial reactors in the United States are surrounded by containment buildings, which add another barrier between reactors and the environment.)
Models for the 1988 precursors were again significantly changed. The plants were grouped into eight classes: three for BWRs and five for PWRs. Core vulnerable sequences from previous models were reassigned, either as success or as core damage, and the likelihood of a failure of a reactor coolant pump seal following a station blackout was explicitly modeled. These models were used for precursor evaluations from 1989 through 1993.

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
The 1992 and 1993 precursor analyses included the potential use of alternate equipment and procedures, beyond those considered in the basic risk models, which had recently been added by licensees to provide additional protection against core damage. The 1992 precursor analyses were the first event assessments reviewed by plant licensees before they were published. This process has continued ever since. The 1982 and 1983 ASP evaluations were not begun until 1994 and were not completed until 1997. The same models and methods were used in 1993.
The 1994 ASP evaluations were the first to use models developed especially for ASP (Sattison et al., 1994) using the SAPHIRE risk assessment software package (USNRC, 1995). The events trees were expanded to include significantly more detail and additional initiating events, such as rupture of a steam-generator tube and anticipated transients without SCRAM (reactor trips). Plant-specific fault trees were used to capture the unique features of plant systems. Seventy-five plant-specific models were used to analyze precursors for the entire commercial fleet of more than 100 reactors.
The SAPHIRE-based models, which have been used ever since the 1994 analyses, have been improved based on visits with risk staffs at each facility. Changes were also made, and are still being made, in response to peer reviews.
THE EVENT SCREENING PROCESS
The nuclear industry was uniquely positioned to start an accident-precursor program because an operational data-collection mechanism, mandated by law, was already in place. In accordance with the U.S Code of Federal Regulations (10CFR50), commercial nuclear power plants are required to report to the USNRC all operational events that represent a deviation from the licensing basis or failure/degradation of a safety function. The USNRC has permanent, on-site resident inspectors at each nuclear power plant to oversee daily activities. Thus, failure to report as required by law can be readily detected. In addition, potential penalties are severe, so compliance is virtually absolute. Reports submitted to NRC to satisfy the law, called licensee event reports (LERs), have a standard format and very detailed guidelines. LERs are closely scrutinized by the USNRC, and anything unclear is questioned and resolved with the submitter. LERs are then screened for a number of programs, including ASP. The USNRC determined that the reporting criteria established in the CFR would ensure that ASP could capture most potential accident precursors.
In the first ASP report, about 19,400 LERs were examined for accident precursors, which were defined in general terms as “events that are important elements in a chain of events (an accident sequence) possibly leading to core damage. Such precursors might be infrequent initiating events or equipment failures that, when coupled with one or more postulated events, could result in a plant condition leading to severe core damage” (Minarick and Kukielka, 1982).

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
There were specific acceptance criteria for further evaluation of accident precursors:
any failure of a system that should have functioned as a consequence of an off-normal event or accident
any instance of two or more failures
all events that resulted in or required initiation of safety-related equipment (except events that required only a reactor trip and the reactor trip was successful)
all complete losses of off-site power and any less-frequent, off-normal initiating events or accidents
any event or operating condition that was not within the plant design bases or that proceeded differently from the plant design bases
any other event that, based on the reviewer’s experience, could have resulted in or significantly affected a chain of events leading to potential severe core damage
These criteria served only as guidelines, and the reviewers were heavily relied upon to exercise judgment during the screening process to ensure that no LERs were screened out that shouldn’t have been and that the screening process effectively reduced the number of events requiring further evaluation. The evaluation of the 1980–1981 events used the same acceptance criteria and processes.
The first changes to the LER selection process were made for the selection of 1985 precursors (the next events analyzed after the 1980–1981 events). The six criteria listed above were consolidated and simplified down to five criteria with little change in their meaning. The selection process was separated into two parts, an initial screening and a detailed review. In addition, more consideration was given to events that could not be easily categorized:
flooding and fire
water hammer (a thermal-hydraulic phenomenon that can cause high stresses in piping)
natural phenomena, such as earthquakes and tornadoes
inadvertent activation of safety systems
natural circulation degradation (coolant circulation caused by differences in temperature and elevation)
failures of control systems
reactivity insertion (changes in the ability to sustain a controlled nuclear chain reaction)
inadvertent closure of the main steam-isolation valve (interference with the normal method of removing heat from the reactor)
excessive coolant or steam generator inventory

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
One of the major changes to the precursor selection process was a revision to the LER rule that became effective in 1984 requiring that a detailed report be provided of all operational events involving a reactor trip. All of these events were captured in the initial screening.
The 1987 precursor selection process, in addition to the typical precursors, identified events involving a loss of containment function and other events that were considered serious but were not modeled (although these were not called precursors). Two changes were made to the LER review and precursor selection process. First, LERs were initially prioritized for further review using the Sequence Coding and Search System (SCSS) database to identify the candidate LERs. Second, events were included in the main body of the report only if they had conditional core-damage probabilities (CCDPs) greater than 1 × 10−6 per reactor year. This was the first time ASP used quantitative criteria in the precursor determination process.
The screening and review process for the 1988–1992 precursors was significantly modified. The initial screening of LERs was performed by the USNRC Office for Analysis and Evaluation of Operational Data (AEOD), which used criteria that were more oriented toward regulatory and safety issues and less oriented toward risk.
The 1993 analysis used the screening criteria from the previous year, but added the criterion that any event must be included for which an augmented inspection team (AIT) or incident investigation team (IIT) report was written. AITs and IITs are formed for events of special interest or significance to USNRC. The same criteria were used for the 1994–1997 analyses, as well as for selection of the 1982–1983 precursors, which were not completely analyzed until 1997.
Little has changed in the selection criteria since the 1993 precursor report. In the late 1990s, it was recognized that long-duration unavailability of a key component, even if there was sufficient redundancy, could be risk-significant. The screening algorithm for the SCSS review was therefore revised to capture these types of events.
TRENDS OF THE RESULTS
For the 1969–1979 analyses, 169 accident sequence precursors were identified. The frequency of severe core damage was estimated to be 2.3 × 10−3 per reactor year. The results did not show any variation with plant age, plant type, plant capacity, vendors, or architect-engineers.
The analysis of 1980–1981 operational events represents a transitional period immediately following the TMI-2 accident. During that period, many plant configuration and operational changes were mandated, with implementation taking place over a long transitional period. Fifty-eight events were selected as accident precursors, approximately the same number per year as in 1969–1979, but the

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
risk significance of these events was less. Lower risk was attributed to improvements in some system reliabilities, additional protective features, and a decrease in the degree of coupling observed in the precursors. The estimated industry average frequency of severe core damage based on the 1980–1981 precursors was 1.6 × 10−4 per reactor year. (The 1982 and 1983 precursors were not analyzed until 1997 and will be discussed later.)
The 1984 and 1985 precursors were analyzed in parallel; the 1985 precursor report came out six months before the 1984 report. The 1986 precursors used the same models and methods (Minarick et al., 1988). Forty-eight precursors were identified in 1984, 63 in 1985, and 34 in 1986. The 1984, 1985, and 1986 reports did not present an average severe core-damage frequency based on the precursors. Instead, distributions of precursors as a function of CCDP were shown in a table (Table 1).
In the evaluation of the 1987 precursors, ASP began to distinguish between precursors with a CCDP greater than 1 × 10−6 and those with a CCDP of less than 1 × 10−6; only the former were included in the main body of the report. In 1987, there were 63 precursors, 33 of which had a CCDP of 1 × 10−6 or higher. The 1988 precursor report identified 32 precursors (greater than 1 × 10−6) (Minarick et al., 1990a). The 1988 report also identified 28 LERs that were impractical to analyze but were described in a table. The 1989 precursor report identified 30 precursors and 27 events that were potentially significant but impractical to analyze (Minarick et al., 1990b).
The 1990 precursor report identified 28 precursors and 53 events that were potentially significant but impractical or lacked sufficient information to analyze (Minarick et al., 1991). In 1990, for the first time, two events were analyzed that took place while the reactor was shut down. The 1991 precursor report (Minarick et al., 1992) identified 29 precursors and 45 events that were potentially signifi-
TABLE 1 Distribution of Precursors as a Function of CCDP, 1984–1986
Number of Precursors
CCDP
1984
1985
1986
1 × 10−2 to 1 × 10−1
0
1
0
1 × 10−3 to 1 × 10−2
1
1
2
1 × 10−4 to 1 × 10−3
16
8
4
1 × 10−5 to 1 × 10−4
8
14
8
1 × 10−6 to 1 × 10−5
8
16
5
1 × 10−7 to 1 × 10−6
8
7
3
1 × 10−8 to 1 × 10−7
3
7
7
1 × 10−9 to 1 × 10−8
2
6
4
1 × 10−10 to 1 × 10−9
2
3
1

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
operating experience (based on the first comprehensive, probabilistic risk assessment, WASH-1400).
ASP was established just at the time of the TMI-2 accident, which was unfortunate for two reasons. First, because of TMI-2 there was a sense of urgency about getting the program started to see if other potential TMIs were lurking about. This emphasis caused the program to become focused on a narrow range of issues rather than exploring broader goals, such as the classification and ranking of precursors according to frequency of occurrence rather than CCDP. Second, TMI-2 forced ASP in the direction of post-event risk assessment. The primary questions after TMI-2 were the probability of another TMI-2, whether existing probabilistic risk assessments could have predicted TMI-2, and how close other events had come to causing core damage.
Ideally, a comprehensive accident precursor program should accomplish a number of goals:
Identify the nature of accident precursors for the industry. This requires that precursor categories be defined based on accident sequences determined from full-scope risk assessments for the entire range of facilities and systems. This is important because accident precursors are typically small segments of one or more accident sequences, and assessing accident precursors includes mapping these events onto the risk models. If noteworthy events are observed that cannot be mapped, the risk models may not be adequate.
Prioritize or rank precursor categories based on both frequency of occurrence and risk significance. Ranking by frequency of occurrence for each category of precursor indicates the weaknesses in facilities at risk for accidents. Ranking by risk significance focuses attention on the precursor categories for which there is less protection. Because the analyses of these two ranking methods are quite different, the program should establish procedures and criteria for each.
Provide a means of feedback to the industry. Analysis is useless unless it is reflected in the design, operation, and maintenance of facilities and systems. Vulnerabilities must be addressed either to reduce the frequency of occurrence or to increase resistance to the consequences.
To accomplish these goals, an accident precursor program should have the following characteristics:
The program should be owned by a recognized authority in the industry and should be driven by consistent, robust goals and objectives that address the needs of the future. Operational events should be considered precursors to more serious events; from these precursors, the program should provide insights into improving safety in the future.

OCR for page 89
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence
The program must be supported by an infrastructure that can sustain it. A system must be in place for gathering appropriate operational data and providing access to data providers when more detailed information is needed. Barriers to full and honest disclosure, such as proprietary information and fear of repercussions, must be addressed. Also, industry members must have incentives (either voluntary or by regulatory action) for participating.
The program should provide a trending and tracking system to correlate changes in industry design and practices with changes in the occurrence and nature of observed precursors. The system should also be able to distinguish between changes in trends that reflect real progress in the field and changes attributable to maturing of the process and program. The program could then provide excellent feedback to the industry on the real impact of the precursor program.
Systems and methods should be sensitive enough to identify an operational event as a precursor without generating too many “false detects” of events of little interest. The event-reporting requirements and event screening and selection criteria and processes must remain consistent over time to support trending and analysis.
Risk assessment in the industry must be mature enough to instill confidence that potential accident sequences have been identified and that the models used to assess events are sufficient and only need changes that reflect the configurations and operating practices of specific facilities. Risk models must be updated to reflect improvements in facilities, but these changes should be made in a way that does not change the level of detail or the scope of coverage. This will facilitate trending and comparison over the years.
Analysis should be performed on a continual basis by a consistent team of analysts to ensure the timeliness and consistency of results.
REFERENCES
Belles, R.J., J.W. Cletcher, D.A. Copinger, B.W. Dolan, J.W. Minarick, and L.N. Vanden Heuvel. 1995. Precursors to Potential Severe Core Damage Accidents: 1994, A Status Report. NUREG/ CR-4674, Vols. 21–22, December 1995. Washington, D.C.: U.S. Nuclear Regulatory Commission.
Belles, R.J., J.W. Cletcher, D.A. Copinger, B.W. Dolan, J.W. Minarick, and M.D. Muhlheim. 1997a. Precursors to Potential Severe Core Damage Accidents: 1995, A Status Report. NUREG/CR-4674, Vol. 23, April 1997. Washington, D.C.: U.S. Nuclear Regulatory Commission.
Belles, R.J., J.W. Cletcher, D.A. Copinger, B.W. Dolan, J.W. Minarick, and M.D. Muhlheim. 1997b. Precursors to Potential Severe Core Damage Accidents: 1996, A Status Report. NUREG/CR-4674, Vol. 25, December 1997. Washington, D.C.: U.S. Nuclear Regulatory Commission.
Belles, R.J., J.W. Cletcher, D.A. Copinger, B.W. Dolan, J.W. Minarick, and M.D. Muhlheim. 1998. Precursors to Potential Severe Core Damage Accidents: 1997, A Status Report. NUREG/CR-4674, Vol. 26, November 1998. Washington, D.C.: U.S. Nuclear Regulatory Commission.